Login Sign Up

CVE-2023-29186

8.7 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows attackers with administrative privileges to exploit a directory traversal flaw in SAP NetWeaver BI CONT ADDON reports to upload and overwrite files on the SAP server. While data cannot be read, critical OS files can be overwritten, potentially making the system unavailable. Affected systems include SAP NetWeaver (BI CONT ADDON) versions 707, 737, 747, and 757.

💻 Affected Systems

Products:
  • SAP NetWeaver BI CONT ADDON
Versions: 707, 737, 747, 757
Operating Systems: All supported OS for SAP NetWeaver
Default Config Vulnerable: ⚠️ Yes
Notes: Requires administrative privileges to exploit; affects specific report functionality in BI CONT ADDON.

📦 What is this software?

Netweaver by Sap

View all CVEs affecting Netweaver →

Netweaver by Sap

View all CVEs affecting Netweaver →

Netweaver by Sap

View all CVEs affecting Netweaver →

Netweaver by Sap

View all CVEs affecting Netweaver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unavailability through overwriting critical OS files, leading to denial of service and potential data loss.

🟠

Likely Case

System disruption or downtime through file overwriting attacks by privileged attackers.

🟢

If Mitigated

Limited impact if proper access controls and file system permissions are enforced.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires administrative privileges; directory traversal techniques are well-understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3305907

Vendor Advisory: https://launchpad.support.sap.com/#/notes/3305907

Restart Required: Yes

Instructions:

1. Download SAP Note 3305907 from SAP Support Portal. 2. Apply the correction instructions provided in the note. 3. Restart affected SAP services. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Restrict Report Access

all

Limit access to vulnerable report functionality to only necessary users.

Configure SAP authorization profiles to restrict report execution

File System Permissions

linux

Set restrictive permissions on OS directories to prevent file overwriting.

chmod 750 /usr/sap/
chown sapadmin:sapsys /usr/sap/

🧯 If You Can't Patch

  • Implement strict access controls to limit administrative privileges
  • Monitor file system changes and implement file integrity monitoring

🔍 How to Verify

Check if Vulnerable:

Check SAP system version and verify if SAP Note 3305907 is applied using transaction SNOTE.

Check Version:

Execute SAP transaction SM51 to check system version and patch level.

Verify Fix Applied:

Verify SAP Note 3305907 implementation status and test report functionality for directory traversal.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file upload activities in SAP logs
  • Failed directory traversal attempts in system logs

Network Indicators:

  • HTTP requests with directory traversal patterns to report endpoints

SIEM Query:

source="sap_logs" AND ("directory traversal" OR "../" OR "..\")

📊 Metadata

CVE ID: CVE-2023-29186
CVSS v3 Score: 8.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
CWE: CWE-22
Published: April 11, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29186, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)